[Commits] 212b8407074: MDEV-16517: Server crash in Item_func_in::val_int() when

19 Jun 2018

revision-id: 212b8407074564c349e6bc61c7ca4554ad60ed79 (mariadb-10.2.15-67-g212b8407074)
parent(s): 10d09a57f88cafaabcb6ba8475c1951fe329756e
author: Galina Shalygina
committer: Galina Shalygina
timestamp: 2018-06-19 19:19:40 +0200
message:

MDEV-16517: Server crash in Item_func_in::val_int() when
            IN predicate defined with non-constant values is pushed down

The problem appears because of wrong changes made in MDEV-16090 in the
Item_func_in::build_clone() method.
For the clone of the IN predicate it copied 'cmp_fields' array values
that become dirty after Item::cleanup_excluding_const_fields_processor
work in pushdown. That causes crash.
There is no need to copy 'cmp_fields' field, the array values should be
NULL so in fix_fields() for the cloned IN predicate they can be set correctly.

---
 mysql-test/r/derived_cond_pushdown.result | 34 +++++++++++++++++++++++++++++++
 mysql-test/t/derived_cond_pushdown.test   | 33 ++++++++++++++++++++++++++++++
 sql/item_cmpfunc.cc                       |  2 +-
 3 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/derived_cond_pushdown.result b/mysql-test/r/derived_cond_pushdown.result
index 83e70dd634c..2fb0d471c71 100644
--- a/mysql-test/r/derived_cond_pushdown.result
+++ b/mysql-test/r/derived_cond_pushdown.result
@@ -9669,3 +9669,37 @@ EXPLAIN
   }
 }
 DROP TABLE t1;
+#
+# MDEV-16517: pushdown condition with the IN predicate defined
+#             with non-constant values
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,2),(1,3);
+SELECT * FROM
+(
+SELECT t1.a
+FROM t1
+WHERE 1 IN (0,t1.a)
+GROUP BY t1.a
+) AS dt1
+JOIN
+(
+SELECT t1.a
+FROM t1
+WHERE 1 IN (0,t1.a)
+) AS dt2
+ON dt1.a = dt2.a;
+a	a
+1	1
+1	1
+SELECT * FROM
+(
+SELECT t1.a,MAX(t1.b)
+FROM t1
+GROUP BY t1.a
+) AS dt, t1
+WHERE dt.a=t1.a AND dt.a IN (1,t1.a);
+a	MAX(t1.b)	a	b
+1	3	1	2
+1	3	1	3
+DROP TABLE t1;
diff --git a/mysql-test/t/derived_cond_pushdown.test b/mysql-test/t/derived_cond_pushdown.test
index 718140d3a77..275eb9cca6e 100644
--- a/mysql-test/t/derived_cond_pushdown.test
+++ b/mysql-test/t/derived_cond_pushdown.test
@@ -1801,3 +1801,36 @@ EVAL $query;
 EVAL EXPLAIN FORMAT=JSON $query;
 
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-16517: pushdown condition with the IN predicate defined
+--echo #             with non-constant values
+--echo #
+
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,2),(1,3);
+
+SELECT * FROM
+(
+  SELECT t1.a
+  FROM t1
+  WHERE 1 IN (0,t1.a)
+  GROUP BY t1.a
+) AS dt1
+JOIN
+(
+  SELECT t1.a
+  FROM t1
+  WHERE 1 IN (0,t1.a)
+) AS dt2
+ON dt1.a = dt2.a;
+
+SELECT * FROM
+(
+  SELECT t1.a,MAX(t1.b)
+  FROM t1
+  GROUP BY t1.a
+) AS dt, t1
+WHERE dt.a=t1.a AND dt.a IN (1,t1.a);
+
+DROP TABLE t1;
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index b86c0079bce..f176a0a8193 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -4438,7 +4438,7 @@ Item *Item_func_in::build_clone(THD *thd, MEM_ROOT *mem_root)
   {
     if (array && clone->create_array(thd))
         return NULL;
-    memcpy(&clone->cmp_items, &cmp_items, sizeof(cmp_items));
+    bzero(&clone->cmp_items, sizeof(cmp_items));
   }
   return clone;
 }

    